def dns_status(): dns_servers_status = load_configuration('dns_server_status') dns_server = load_configuration('dns_server')['dns_server'] tls_enabled = dns_server['tls']['enabled'] dns_servers = dns_server['resolvers'] dns_servers_copy = deepcopy(dns_servers) for server, server_info in dns_servers_copy.items(): status = dns_servers_status.get(server_info['ip_address'], None) if (not status): tls = 'Waiting' dns = 'Waiting' else: dns = 'UP' if status['dns_up'] else 'Down' tls = 'UP' if status['tls_up'] else 'Down' if (not tls_enabled): tls = 'Disabled' dns_servers[server]['dns_up'] = dns dns_servers[server]['tls_up'] = tls # print(dnsstatus) return dns_servers
def _load_interfaces(self): fw_settings = load_configuration('config')['settings'] server_settings = load_configuration('dhcp_server')['dhcp_server'] fw_intf = fw_settings['interfaces'] dhcp_intfs = server_settings['interfaces'] # ident for intf in self.DHCPServer._intfs: # friendly name for _intf, settings in dhcp_intfs.items(): # ensuring the iterfaces match since we cannot guarantee order if (intf != settings['ident']): continue # passing over disabled server interfaces. NOTE: DEF temporary if not dhcp_intfs[_intf]['enabled']: continue # creating ipv4 interface object which will be associated with the ident in the config. # this can then be used by the server to identify itself as well as generate its effective # subnet based on netmask for ip handouts or membership tests. intf_ip = IPv4Interface( str(fw_intf[_intf]['ip']) + '/' + str(fw_intf[_intf]['netmask'])) # initializing server options so the auto loader doesnt have to worry about it. self.DHCPServer.options[intf] = {} # updating general network information for interfaces on server class object. these will never change # while the server is running. for interfaces changes, the server must be restarted. self.DHCPServer.intf_settings[intf] = {'ip': intf_ip}
def _load_restriction(self): ip_proxy = load_configuration('ip_proxy')['ip_proxy'] logging = load_configuration('logging_client')['logging'] restriction_start = ip_proxy['time_restriction']['start'] restriction_length = ip_proxy['time_restriction']['length'] os_direction = logging['time_offset']['direction'] os_amount = logging['time_offset']['amount'] offset = int(f'{os_direction}{os_amount}') * ONE_DAY return restriction_start, restriction_length, offset
def _get_settings(self, cfg_file): # print('[+] Starting: IPS Settings Update Thread.') ips = load_configuration(cfg_file)['ips'] self.IPS.ddos_prevention = ips['ddos']['enabled'] self.IPS.portscan_prevention = ips['port_scan']['drop'] # ddos CPS THRESHHOLD CHECK tcp_src_limit = ips['ddos']['limits']['source']['tcp'] udp_src_limit = ips['ddos']['limits']['source']['udp'] icmp_src_limit = ips['ddos']['limits']['source']['icmp'] self.IPS.connection_limits = { PROTO.ICMP: icmp_src_limit, PROTO.TCP: tcp_src_limit, PROTO.UDP: udp_src_limit } ##Checking length(hours) to leave IP Table Rules in place for hosts part of ddos attacks self.IPS.block_length = 0 if (self.IPS.portscan_prevention or self.IPS.ddos_prevention): self.IPS.block_length = ips['passive_block_ttl'] * 3600 ## Reject packet (tcp reset and icmp port unreachable) self.IPS.portscan_reject = ips['port_scan']['reject'] ## whitelist configured dns servers (local instance var) self.whitelist_dns_servers = ips['whitelist']['dns_servers'] self._cfg_change.set() self.initialize.done()
def _load_interfaces(self): interface = load_configuration('config.json') self.IPS.wan_int = interface['settings']['interfaces']['wan'] self.IPS.broadcast = Interface.broadcast_address( self.IPS.wan_int['ident'])
def get_settings(self, cfg_file): syslog = load_configuration(cfg_file)['syslog'] SyslogService = self.SyslogService SyslogService.syslog_enabled = syslog['enabled'] SyslogService.syslog_protocol = syslog['protocol'] SyslogService.tls_enabled = syslog['tls']['enabled'] SyslogService.self_signed_cert = syslog['tls']['self_signed'] SyslogService.tcp_fallback = syslog['tcp']['fallback'] SyslogService.udp_fallback = syslog['udp']['fallback'] syslog_servers = syslog['servers'] # if service is started without servers configured we will return here. if not syslog_servers: return names = ['primary', 'secondary'] with SyslogService.server_lock: for name, cfg_server, mem_server in zip(names, syslog_servers.values(), SyslogService.syslog_servers): if (cfg_server['ip_address'] == mem_server.get('ip')): continue getattr(SyslogService.syslog_servers, name).update({ 'ip': syslog_servers[name]['ip_address'], PROTO.UDP: True, PROTO.TCP: True, PROTO.DNS_TLS: True })
def combine_domains(self): dns_proxy_categories = load_configuration('dns_proxy') categories = dns_proxy_categories['dns_proxy']['categories'] default_cats = categories['default'] ud_cats = categories['user_defined'] for cat, settings in default_cats.items(): # NOTE: this will prevent loading disabled configs to memory. maybe make it a user configurable option later? # if (not settings['enabled']): continue self.combine_dom_files.append(cat) for file in self.combine_dom_files: try: with open(f'{HOME_DIR}/dnx_system/signatures/domain_lists/{file}.domains', 'r') as file: self.dom_signatures.extend([x.lower() for x in file.read().splitlines() if x and '#' not in x]) except FileNotFoundError: self.Log.alert(f'Unable to locate {file}.domains file. Contact Support.') with open(f'{HOME_DIR}/dnx_system/signatures/domain_lists/blocked.domains', 'w+') as blocked: blocked.write('\n'.join(self.dom_signatures)) # TODO: user defined categories will break the enum load on proxy / FIX # looping over all user defined categories for cat, settings in ud_cats: if (not settings['enabled']): continue # writing signatures to block file for signature in settings[1:]: blocked.write(f'{signature} {cat}\n'.lower()) # NOTE: nulling out signatures in memory so we dont have to wait for GC. self.dom_signatures = None
def load_page(): dhcp_server = load_configuration('dhcp_server.json')['dhcp_server'] dhcp_res_list = dhcp_server['reservations'] return {'reservations': { m2s(mac): info for mac, info in dhcp_res_list.items()} }
def _get_settings(self, cfg_file): ip_proxy = load_configuration(cfg_file)['ip_proxy'] enabled = ip_proxy['time_restriction']['enabled'] self._change_attribute('_enabled', enabled) self.initialize.done()
def _get_settings(self, cfg_file): ips = load_configuration(cfg_file)['ips'] self.IPS.ids_mode = ips['ids_mode'] self.IPS.ddos_prevention = ips['ddos']['enabled'] # ddos CPS configured thresholds tcp_src_limit = ips['ddos']['limits']['source']['tcp'] udp_src_limit = ips['ddos']['limits']['source']['udp'] icmp_src_limit = ips['ddos']['limits']['source']['icmp'] self.IPS.connection_limits = { PROTO.ICMP: icmp_src_limit, PROTO.TCP: tcp_src_limit, PROTO.UDP: udp_src_limit } self.IPS.portscan_prevention = ips['port_scan']['enabled'] self.IPS.portscan_reject = ips['port_scan']['reject'] # checking length(hours) to leave IP Table Rules in place for hosts part of ddos attacks self.IPS.block_length = 0 if (self.IPS.ddos_prevention and not self.IPS.ids_mode): self.IPS.block_length = ips['passive_block_ttl'] * ONE_HOUR # NOTE: this will provide a simple way to ensure very recently blocked hosts do not get their # rule removed if passive blocking is disabled. if (not self.IPS.block_length): self.IPS.block_length = TEN_MIN # src ips that will not trigger ips self.IPS.ip_whitelist = set( [IPv4Address(ip) for ip in ips['whitelist']['ip_whitelist']]) self._cfg_change.set() self.initialize.done()
def set_dns_servers(dns_server_info): field = {1: 'primary', 2: 'secondary'} with ConfigurationManager('dns_server') as dnx: dns_server_settings = dnx.load_configuration() public_resolvers = dns_server_settings['dns_server']['resolvers'] for i, (server_name, ip_address) in enumerate(dns_server_info.items(), 1): if (not server_name and ip_address): continue public_resolvers[field[i]].update({ 'name': server_name, 'ip_address': ip_address }) dnx.write_configuration(dns_server_settings) wan_information = load_configuration('config')['settings'] interface = wan_information['interfaces'] wan_dhcp = interface['wan']['dhcp'] wan_int = interface['wan']['ident'] if (not wan_dhcp): wan_ip = interface.get_ip_address(wan_int) wan_dfg = Interface.default_gateway(wan_int) cidr = System.standard_to_cidr(wan_netmask) # TODO: convert this to new module wan_netmask = Interface.netmask(wan_int) set_wan_interface({ 'ip_address': wan_ip, 'cidr': cidr, 'default_gateway': wan_dfg })
def _get_settings(self, cfg_file): ip_proxy = load_configuration(cfg_file)['ip_proxy'] cat_settings = ip_proxy['categories'] geo_settings = ip_proxy['geolocation'] cat_enabled = [] for cat, setting in cat_settings.items(): if (setting): cat_enabled.append(1) self.IPProxy.cat_settings[IPP_CAT[cat.upper()]] = DIR(setting) geo_enabled = [] for cat, setting in geo_settings.items(): if (setting): geo_enabled.append(1) # using enum for category key and direction value try: self.IPProxy.geo_settings[GEO[cat.title()]] = DIR(setting) except KeyError: continue # NOTE: temporary while not all enums/countries are populated self.IPProxy.inspect_on = bool(cat_enabled or geo_enabled) self.IPProxy.cat_enabled = bool(cat_enabled) self.IPProxy.geo_enabled = bool(geo_enabled) self.IPProxy.ids_mode = ip_proxy['ids_mode'] self.initialize.done()
def load_page(): interface_settings = load_configuration('config')['settings'] wan_int = interface_settings['interfaces']['wan'] default_wan_mac = wan_int['default_mac'] configured_wan_mac = wan_int['configured_mac'] dhcp = wan_int['dhcp'] wan_int = wan_int['ident'] # TODO: migrate away from instace Int = Interface() wan_ip = Int.ip_address(wan_int) wan_netmask = Int.netmask(wan_int) wan_dfg = Int.default_gateway(wan_int) current_wan_mac = default_wan_mac if not configured_wan_mac else configured_wan_mac interface_settings = { 'mac': { 'default': default_wan_mac, 'current': current_wan_mac }, 'ip': { 'dhcp': dhcp, 'ip_address': wan_ip, 'netmask': wan_netmask, 'default_gateway': wan_dfg } } return interface_settings
def wrapper(*args): # will redirect to login page if user is not logged in username = session.get('username', None) session_tracker = load_configuration( 'session_tracker', filepath='dnx_frontend')['active_users'] # NOTE: this is dnx local tracking of sessions. not to be confused with flask session tracking dnx_session_data = session_tracker.get(username) if not dnx_session_data or dnx_session_data[ 'remote_addr'] != request.remote_addr: return redirect(url_for('dnx_login')) # will redirect to not authorized page if the user role does not match # requirements for the page # user_role = Authentication.get_user_role(username) # NOTE: should be depricated by dnx session tracker if (dnx_session_data['user_role'] not in authorized_roles): session.pop('username', None) return render_template('dnx_not_authorized.html', navi=True, login_btn=True, idle_timeout=False) dnx_session_data['username'] = username # flask page function page_action = function_to_wrap(dnx_session_data) return page_action
def _load_restriction(self): restriction = load_configuration('ip_proxy.json') offset_settings = load_configuration('logging_client.json') restriction_start = restriction['ip_proxy']['time_restriction'][ 'start'] restriction_length = restriction['ip_proxy']['time_restriction'][ 'length'] offset = offset_settings['logging']['time_offset'] os_direction = offset['direction'] os_amount = offset['amount'] offset = int(f'{os_direction}{os_amount}') * 3600 return restriction_start, restriction_length, offset
def load_page(): logging_settings = load_configuration('logging_client')['logging'] logging = logging_settings['logging'] log_level = logging['level'] log_length = logging['length'] log_settings = {'level': log_level, 'length': log_length} time_offset = logging_settings['time_offset'] offset_values = { 'direction': time_offset['direction'], 'amount': time_offset['amount'] } system_time = System.format_date_time(fast_time()) local_time = System.calculate_time_offset(fast_time()) local_time = System.format_date_time(local_time) logging_settings = { 'system': system_time, 'local': local_time, 'logging': log_settings, 'offset': offset_values } return logging_settings
def get_settings(self): dnx_settings = load_configuration('config')['settings'] self.lan_int = dnx_settings['interfaces']['lan']['ident'] self.wan_int = dnx_settings['interfaces']['wan']['ident'] self.custom_chains = ['FIREWALL', 'NAT', 'DOH']
def __init__(self): dnx_settings = load_configuration('config')['settings'] self._wan_int = dnx_settings['interfaces']['wan']['ident'] self._lan_int = dnx_settings['interfaces']['lan']['ident'] self._iptables_lock_file = f'{HOME_DIR}/dnx_system/iptables.lock'
def load_page(): logging_settings = load_configuration('logging_client')['logging'] log = logging_settings['logging'] # correcting time for configured offset. time_offset = logging_settings['time_offset'] system_time = System.format_date_time(fast_time()) local_time = System.calculate_time_offset(fast_time()) local_time = System.format_date_time(local_time) logging_settings = { 'system': system_time, 'local': local_time, 'offset': { 'direction': time_offset['direction'], 'amount': time_offset['amount'] }, 'logging': { 'log_levels': [level.title() for level in LOG_LEVELS], 'level': log['level'], 'length': log['length'] } } return logging_settings
def syslog_settings(syslog_settings): syslog = load_configuration('syslog_client')['syslog'] configured_syslog_servers = syslog['servers'] if (not configured_syslog_servers): raise ValidationError( 'Syslog servers must be configured before modifying client settings.' ) tls_retry = convert_int(syslog_settings['tls_retry']) tcp_retry = convert_int(syslog_settings['tcp_retry']) tls_settings = syslog_settings['tls'] syslog_settings = syslog_settings['syslog'] if (tls_retry not in [5, 10, 60] and tcp_retry not in [5, 10, 30]): raise ValidationError('Syslog settings are not valid.') for item in tls_settings: if (item not in [ 'enabled', 'tcp_fallback', 'udp_fallback', 'self_signed' ]): raise ValidationError('Syslog settings are not valid.') for item in syslog_settings: if (item not in ['syslog_enabled', 'syslog_protocol']): raise ValidationError('Syslog settings are not valid.') if ('syslog_protocol' not in syslog_settings): if ('encrypted_syslog' in tls_settings): raise ValidationError('TCP must be enabled to enable TLS.') if ('tcp_fallback' in tls_settings): raise ValidationError('TLS must be enabled before TCP fallback.')
def set_dns_servers(dns_server_info): with ConfigurationManager('dns_server') as dnx: dns_server_settings = dnx.load_configuration() dns = dns_server_settings['dns_server']['resolvers'] for i, (server_name, ip_address) in enumerate(dns_server_info.items(), 1): if (server_name and ip_address): server = dns[f'server{i}'] server.update({'name': server_name, 'ip_address': ip_address}) dnx.write_configuration(dns_server_settings) wan_information = load_configuration('config') interface = wan_information['settings']['interface'] wan_dhcp = interface['wan']['dhcp'] wan_int = interface['outside'] if (not wan_dhcp): wan_ip = interface.get_ip_address(wan_int) wan_netmask = Interface.netmask(wan_int) wan_dfg = Interface.default_gateway(wan_int) cidr = System.standard_to_cidr(wan_netmask) wan_settings = { 'ip_address': wan_ip, 'cidr': cidr, 'default_gateway': wan_dfg } set_wan_interface(wan_settings)
def load_page(): users = load_configuration('logins')['users'] userlist = {} for account, info in users.items(): userlist[account] = ('*****', info['role']) return userlist
def get_settings(self): dnx_settings = load_configuration('config')['settings'] self._lan_int = dnx_settings['interfaces']['lan']['ident'] self._wan_int = dnx_settings['interfaces']['wan']['ident'] self.custom_filter_chains = ['GLOBAL_INTERFACE', 'WAN_INTERFACE', 'LAN_INTERFACE', 'DMZ_INTERFACE', 'NAT', 'DOH'] self.custom_nat_chains = ['DSTNAT', 'SRCNAT']
def _ip_whitelist(self, cfg_file): whitelist = load_configuration(cfg_file) ip_whitelist = set(whitelist['ips']['whitelist']['ip_whitelist']) if (self.whitelist_dns_servers): dns_servers_settings = load_configuration('dns_server.json') dns_servers = dns_servers_settings['dns_server'] dns1 = dns_servers['resolvers']['server1']['ip_address'] dns2 = dns_servers['resolvers']['server2']['ip_address'] self.IPS.ip_whitelist = ip_whitelist.union({dns1, dns2}) else: self.IPS.ip_whitelist = ip_whitelist self._cfg_change.set() self.initialize.done()
def dns_record_remove(dns_record_name): dns_server = load_configuration('dns_server')['dns_server'] if (dns_record_name == 'dnx.firewall'): raise ValidationError('Cannot remove dnxfirewall dns record.') if (dns_record_name not in dns_server['records']): raise ValidationError(INVALID_FORM)
def load_page(): ips = load_configuration('ips.json')['ips'] passive_block_ttl = ips['passive_block_ttl'] ids_mode = ips['ids_mode'] # ddos settings ddos_enabled = ips['ddos']['enabled'] tcp_src_limit = ips['ddos']['limits']['source']['tcp'] udp_src_limit = ips['ddos']['limits']['source']['udp'] icmp_src_limit = ips['ddos']['limits']['source']['icmp'] ddos_settings = { 'enabled': ddos_enabled, 'tcp': tcp_src_limit, 'udp': udp_src_limit, 'icmp': icmp_src_limit } # portscan settings portscan_prevention = ips['port_scan']['enabled'] portscan_reject = ips['port_scan']['reject'] portscan_settings = { 'enabled': portscan_prevention, 'reject': portscan_reject } # ips host/ configured dns server whitelist ip_whitelist = ips['whitelist']['ip_whitelist'] dns_server_whitelist = ips['whitelist']['dns_servers'] ips_enabled = bool(ddos_enabled or portscan_prevention) # TODO: clean this shit up. tcp_nat = ips['open_protocols']['tcp'] udp_nat = ips['open_protocols']['udp'] nats_configured = tcp_nat or udp_nat if (not nats_configured): ddos_notify = True if not ddos_enabled else False ps_notify = True if not portscan_prevention else False else: ddos_notify = False ps_notify = False ips_settings = { 'enabled': ips_enabled, 'length': passive_block_ttl, 'ids_mode': ids_mode, 'ddos': ddos_settings, 'port_scan': portscan_settings, 'ddos_notify': ddos_notify, 'ps_notify': ps_notify, 'ip_whitelist': ip_whitelist, 'dns_server_whitelist': dns_server_whitelist } return ips_settings
def _load_leases(self): # print('[+] Loading leases from file.') dhcp_settings = load_configuration('dhcp_server') stored_leases = dhcp_settings['dhcp_server']['leases'] self.update({ IPv4Address(ip): lease_info for ip, lease_info in stored_leases.items() })
def _load_top_domains(self): self._top_domains = fo.load_configuration('dns_cache') dom_list = reversed(list(self._top_domains)) self._dom_counter = Counter( {dom: cnt for cnt, dom in enumerate(dom_list)}) self._top_dom_filter = set(fo.load_top_domains_filter())
def bandwidth(): intstat = {} interface_bandwidth = load_configuration('interface_speed.json') for interface, value in interface_bandwidth.items(): rx = str(round(int(value[0])/1024, 2)) + ' MB/s' tx = str(round(int(value[1])/1024, 2)) + ' MB/s' intstat[interface] = [rx, tx] # print(intstat) return intstat
def _user_authorized(self, username, hexpass): local_accounts = load_configuration('logins')['users'] try: password = local_accounts[username]['password'] except KeyError: return False else: # returning True on password match else False return password == hexpass